It’s not uncommon to hear people refer to updating dependencies as “dependency management”. They’re not wrong; keeping dependencies up to date is a big part of dependency management, but it’s not everything. Read on to learn more about the differences between the two.
Let’s first briefly breakdown what dependencies are.
Dependencies are the relationships between software components that rely on each other to work. You have direct dependencies, where a software component directly calls another, and indirect dependencies, which describes the relationship between software component A and component C that is not called directly by A but instead by a direct dependency of A, component B.
Sounds fairly straightforward, but of course component A could rely on components B, D, E, F, and G, and component B could rely on C and G, and component G can only work with one particular version of component F, and…you get the idea. These relationships can get very complicated. Moreover, these components are usually projects managed by other developers, meaning that there is no control over how their newer versions will be built or function.
Dependency management involves selecting, identifying, or defining all of these different relationships and resolving the conflicts that arise between them. Some minimal amount of dependency management will be done every time a new component is added to a project and every time an existing component is updated.
Some specific dependency management tasks include:
For a deeper look at dependency management, check out this blog.
Obviously, some theoretical static software project that’s working just fine has no need for dependency management once it’s built. But in reality, nearly all projects will be expanded upon at some point, or at least updated for security purposes.
Which leads us to dependency updates.
Software will need to be updated. It’s a simple fact of life and is the main reason solid dependency management throughout a project’s entire lifecycle is so necessary.
But updating isn’t always easy. As new versions of each component come out, perhaps to add new functionality or security patches, the relationships between multiple other components can make the updating of one component cause another component to fail to work.
And perhaps updating that other component would fix the first problem but create a new problem with an entirely different component! This is referred to as dependency hell, and even fairly small projects can find themselves in the depths of it.
So how are dependency updates managed?
While small projects can conceivably get away with manual updates, larger projects almost certainly cannot. The absolute worst way to deal with managing updates is to not update at all. Don’t do that. That means you are choosing to take on unnecessary technical debt that you really don’t need. (You can read more about dependency management and technical debt here.)
Here are some ways to manage dependency updates without getting sent straight to dependency hell:
Updating dependencies is just one aspect of dependency management, albeit a very important one. Dependency management also includes keeping track of which components go into your projects, their versions, and their reliance on other components as well as resolving conflicts between components.
*** This is a Security Bloggers Network syndicated blog from Mend authored by AJ Starita. Read the original post at: https://www.mend.io/blog/dependency-management-vs-dependency-updates-whats-the-difference/